Review: The OpenBSD Packet Filter Book

Contributed by
sean
on 2006-12-26
from the dept.

The wide variety of features and flexibility has made PF popular as
a general packet filter in the various BSDs. It has been ported to pretty
much all of them and I'm still holding some hope that Apple will port it over
to OS X. Aside from that the PF manuals around are usually of the 'how to
use and install' OpenBSD variety. Jeremy Reed's packaging of the PF FAQ
is definitely an exception. His book is
called The OpenBSD Packet Filter Book (or 'PF-Book' for short) and is published via Lulu's self publishing services.

Starting from the original FAQ and working towards a print version, Jeremy
has packaged up a rather complete tome on our friendly packet filter. I've
read the book in it's entirety and for comparison's sake the original FAQ.
Just flipping through the book, it is obvious that Jeremy took the time to
paginate and format the entire text into something easily readable on the
bus (my venue for this book) or pretty much anywhere, as the form factor is
quite comfortable (a bit larger than a pulp novel). On the form itself, the
index while being complete and helpful has a bold face which I find a bit distracting
and renders the text larger than the normal face in the rest of the book.
One of the nice changes Jeremy made was replacing the brain teasing ASCII art diagrams
(much easier to handle with a mono space font) to graphically rendered versions which
makes things clearer at a glance.

The audience for this book is any user already familiar with the various BSD
incarnations but is intrigued by the idea of using PF in their environment
(instead of converting to OpenBSD 'whole-hog'). If you are looking for a
book which goes into more detail about setting up OpenBSD and using PF then
I would suggest Jacek's approach to the topic but if all you care about is PF then you found the right one. The PF-Book is also well suited as a nice encyclopedic reference of the various uses and features PF has and the
through index at the back makes it suited for this function.

This book took me a long time to read as there have been a number
of large projects at work and 'at home' so the book was read chapter by chapter
either on the commute to the office or while forcing a break during the day.
This is usually a bad thing for technical books but in this case each of the
chapters was self contained and the examples didn't distract from the bulk of
the material.

Since I'm more comfortable with the 'dead-tree' format I learned all kinds of
things that I didn't get from reading the online version (but were still there). Specifically a few examples are the
explanation of the state manipulation (ie. modulate, synproxy) and tcp flag use in pass rules.

One thing I felt lacking was in examples portion as the examples given dealt
with very simple uses of PF in basic environments I would have definitely
appreciated a few more complicated examples which show off the power of PF
in not so trivial network layouts (such as bridges and IPsec tunnelling).

Another welcome addition was the appending summarizing 'Other Tools' which lists and
gives a brief synopsis of the various add-ons and extension packages available for PF. I didn't know so many existed! The list is in alphabetical order so you will have to read through them all if you are looking for any particular one. I would have preferred a
sectioned list instead.

As for the donations questions raised when the book was first announced/published, I've confirmed that funds have made their way to the project though it seems
as though the distributor has been giving Jeremy a hard time redeeming on sales.

If I was to force myself into an Amazon rating I would give 'The OpenBSD Packet Filter Book' 3.5 out of 5 puffies.

Note:a complementary copy of the above book was sent to me for review on this site.

(Comments are closed)

By
tmib (tmib) t m i b AT x s 4 a l l DOT n l
on 2006-12-27 11:05

Nice review, I am looking forward to reading the book as well. Will it be available from OpenBSD orders and/or OpenBSD orders EU in the future, or do I have to buy it from Lulu/Amazon/whatever?

By
sean (sean) sean@tinfoilhat.ca
on 2006-12-27 15:43
I don't work here.

> Nice review, I am looking forward to reading the book as well.
> Will it be available from OpenBSD orders and/or OpenBSD orders EU
> in the future, or do I have to buy it from Lulu/Amazon/whatever?

The latter.

By
Anonymous Coward ()
on 2006-12-27 14:04

Am I the only guy who is surprised to know that the website, the FAQ, and the man pages are "BSD licensed" as Jeremy Reed states in his book/website?

I have only seen copyright statements about those things, so I'm wondering if he really had the permission to use them.

> Am I the only guy who is surprised to know that the website, the FAQ, and the man pages are "BSD licensed" as Jeremy Reed states in his book/website?
>
> I have only seen copyright statements about those things, so I'm wondering if he really had the permission to use them.
>
> Obviously nobody will sue him, but...

> Am I the only guy who is surprised to know that the website, the FAQ,
> and the man pages are "BSD licensed" as Jeremy Reed states in his
> book/website?
>
> I have only seen copyright statements about those things, so I'm
> wondering if he really had the permission to use them.
>
> Obviously nobody will sue him, but...

That's not so obvious to me. We'd defend it vigorously if needed. There are a few people around who can attest to that.

HOWEVER, that's not needed here. After much discussion, including Theo thinking we were a bit nuts, Joel Knight and I did put the entire PF FAQ under a nice, simple BSDish license...see the HTML source. We did this fully understanding the potential implications of this, and this was one of the ones we understood could happen, and we were ok with that then, and still are now.

It turned out Joel and I had been thinking about doing this for some time independantly, and when FreeBSD imported PF, we were approached about making the PF Users' Guide available to them to jumpstart their documentation efforts.

Note: the rest of the FAQ and the website is under standard copyright, and is likely to stay that way.